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Glossary 


ACCSEC 
ALMO 
CESG 


Custodian 


IGSG 


Accountable security (encrypted) devices 
Asset and Licence Management Officer 


Communications Electronics Security Group (the UK 
Government’s national technical authority for information 
assurance) 


Person responsible for managing encryption systems 


Information Governance Security Group — body that 
oversees information security 


This report is confidential and is intended for use by the management and Directors of ICO only. It forms part of our continuing dialogue with you. It should not be made available, in 
whole or in part, to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying 
on this report does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this 


report, however such loss or damage is caused. 


It is the responsibility solely of ICO's management to ensure that there are adequate arrangements in place in relation to risk management, governance and control. 


Information Commissioner's Office IT Asset Management Review - Phase 1 


1 Executive Summary 


1.1 Background 

As part of the 2016-17 Internal Audit Plan, we have agreed with 
management and the Audit Committee to undertake a review to provide 
assurance over the process to manage IT assets. Following an incident 
involving a missing (secure) laptop, a review was requested by the Audit 
Committee over the controls over Accountable Security devices (called the 
“Cryptographic Controls” review). The ICO is also implementing a revised 
process to manage all IT assets going forward. This review focuses on how 
IT assets are managed and controlled but does not cover the specific 
requirements for compliance with CESG requirements. 


1.2 Scope 

The objectives of the review are to provide assurance over the adequacy of 
controls over the management of IT assets. The findings and conclusions 
from this review will support our annual opinion to the Audit Committee 
on the adequacy and effectiveness of governance arrangements. The 
review will be delivered in two phases: 


1 An assessment of the design of the IT asset management processes to 
provide to identify opportunities for improvement; and 

2 Review of the operational processes based upon the new set of IT 
asset management controls reviewed in phase 1. 


This report relates to the first of the two phases, i.e. the design of new 


controls and processes which will be introduced. Our review considered 
the following risks: 
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1. Executive summary 


2: Detailed Findings 
Appendices 


e IT assets are missing and are unknown to ICO management 


e The loss of an IT asset may contain sensitive information which could 
result in reputational damage 


e Asset re-use / redeployment is poor leading to ICO purchasing 
additional assets and therefore increasing costs 


e Unauthorised procurement lead to additional time spent managing and 
integrating the unauthorised asset 


Further details on responsibilities, approach and scope are included in 


Appendix A. 


1.3 Overall conclusion 


Overall assessment - Design Effectiveness 


We have identified matters which, if resolved, will help management fulfil 
their responsibility to maintain a robust system of internal control. 


Please refer to appendix B for further information regarding our overall 
assessment and audit finding ratings. 


The table details the key findings from our review. 


Information Commissioner's Office IT Asset Management Review — Phase 1 
2: Detailed Findings 


Appendices 


1.4 Key findings 


Risk / Process 


IT asset management 


IT asset procurement 


IT asset usage 


Total 


There are no high rated findings arising out of our review and we 
identified one medium rated finding; IT assets are not reconciled between 
an independent source such as an invoice or delivery note and the IT 
assets at the ICO. 


Further details of our findings and recommendations are provided in 
Section 2. 


1.5 Basis of opinion 
We identified the following good practices: 


e One person has responsibility for all physical IT assets and records 
e Software asset manager post in place 

e Formal procurement process in place for projects 

e Management structure in place to oversee IT asset governance 


1.6 Acknowledgement 


We would like to take this opportunity to thank the staff involved for their 
co-operation during this internal audit. 
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2 Detailed Findings 


2.1 IT asset management 


a Executive summary 


2. Detailed Findings 


Appendices 


1. Accurate and complete asset records are not in place 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


On a bi-annual basis the ALMO conducts a physical audit of 
all IT assets except ACCSEC devices. ACCSEC devices 
are covered as part of the annual ACCSEC audit carried out 
by the Custodian to meet CESG requirements. The results 
of the physical audit are not being formally captured or 
reported to management. Additionally, although the non- 
ACCSEC assets are subject to a physical audit and the 
results of that audit are reconciled against the ICO asset 
register spreadsheet, there is no reconciliation against an 
independent source of asset information, such as an invoice 
or delivery note. 


Asset management policies states that should any issues be 
identified as part of the audit, these should be raised with the 
IT Helpdesk and decisions are made on next steps is made 
by the business based on the criticality of the incident. The 
policy does not state how this assessment of criticality 
should be carried out. 


Asset record keeping that is not operating effectively 
undermines the accuracy of a physical asset count which 
can in turn mean that assets that may be lost or stolen are 
not identified in a timely manner leading to damage to the 
ICO’s reputation. 


The results of physical audits should be 
recorded within the asset register (when was the 
last physical audit conducted and by who) and 
shared with the IGSG. 


The incident management process over lost or 
stolen assets to include how to assess the 
criticality and therefore the appropriate action to 
take. 


Physical audit log to be added to asset register. 
Once each physical audit is complete, record to 
be copied from asset register and held as a 
stand-alone record of that periods’ physical 
asset check. Reference to this to be added to 
the Asset Management procedure V1.0 


Asset Management procedure V1.0 to be 
updated to include risk assessment and action 
plan 


Date Effective: Complete by 31 January 2017 to 
enable phase ll review of the operational 
processes referred to in 1.2 above. 


Owner: Emma Deen 
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2.2 IT asset procurement 


a Executive summary 


2. Detailed Findings 


Appendices 


a| tow | Lack of guidance on non-project IT procurement 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


The ICO utilises the project management process to 
introduce new technology or make any significant changes 
to existing technologies. Under project management 
governance, purchases of equipment are made which are 
subject to management approval.IT assets that are not 
requested as part of a project (such as mice and keyboards) 
do not have a formal procurement process to follow. We 
identified that asset procurement can be initiated in three 
ways: 


1. As a result of a new project 
2. Replacing an asset as a result of end of life or damage 
3. Other ad-hoc equipment requests 


Assets that are procured for a project will go through the 
formal project management governance and are approved 
by the project board. Other IT asset purchases are reviewed 
IT Service Team Manager and approved by the Group 
Manager, Business Development. 


Most IT equipment purchases are raised with ICO's 
approved suppliers, Northgate or SEC. However, we noted 
that where purchases are made for low value items (Such as 
a keyboard or a mouse), the purchase can be made with a 
different supplier. It is not clear what can be purchased 
outside of the formal IT procurement process or how. 


We were informed that where assets are not procured with 
approved suppliers (Such as Northgate and SCC), ensuring 
that ICO's technical standards are being adhered to is the 
responsibility of Group Manager, Business Development. 


The process for non-project asset procurement 
should be documented and sets out what can be 
purchased, from where and who has the 
authority to approve such purchases. 


Non-project IT procurement process to be 
documented and shared with those with 
delegated authority 


Date Effective: 31 January 2017 


Owner: Emma Deen 
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2. Detailed Findings 


Appendices 

2.3 IT asset usage 

3 | iow | Monitoring of IT assets not connected to the network 
Finding and Implication Proposed action Agreed action (Date / Ownership) 
Monitoring is not in place on all devices to identify ICO IT Management should ensure that monitoring is in | It was explained during the audit that ICO are 
assets that have not been connected to the network for an place to identify that ICO IT equipment is in limited in what they can do to monitor hardware 
appropriate period of time. Such devices may be candidates | active use. use via network activity. We don't have direct 
for redeployment or lack of connection may indicate that an control over this because of our contractual 
asset has been lost or stolen. relationship with Northgate Public Services. 


Desktop management tools enable asset 
monitoring via Active Directory which ICO 


Management are reviewing their IT Service Desk system J 
cannot utilise. 


solution and a new system could incorporate asset 
monitoring. 

The RSA portal reports enable us to monitor 
home working log in frequency. This will allow us 
to identify staff who haven't logged in via their 
allocated device for an extended period of time. 
Report to be added to monthly monitoring. 


Replacement IT service desk requirement 
checklist to include system monitoring abilities 
as a ‘should have’ requirement. 


Date Effective: 31 January 2017 


Owner: Emma Deen 
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A Internal audit approach 


Approach 

Our audit will be carried out in accordance with the guidance contained 
within the Public Sector Internal Audit Standards (2013), and the Auditing 
Practices Board’s “Guidance for Internal Auditors’. 


The objectives of the review are to provide assurance over the adequacy of 
controls over IT assets, in the following areas: 


e Procurement of IT assets is limited to members of IT management, to 
ensure control is maintained over the incoming IT assets. 


e All IT assets are recorded with the details pertaining to that asset (such 
as value, owner, location, serial number and asset number) and a 
process is in place to ensure IT assets’ information is kept up to date 

e Assets are regularly physically identified and asset records are 
reconciled 

e ICO has the ability to determine market price for IT assets to ensure 
value for money 

e Processes are in place to manage software licences (available licences 
are recorded, usage is regularly captured and available licences are used 
before purchasing new licences) 

e Use of software is in line with licence agreement 

e Renewal dates for licence agreements are documented) and 
responsibility for software licence renewal is in place 

e Reporting of assets periodically to senior management 
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Appendices 


e A process is in place to ensure unauthorised equipment or assets ate 
identified and that IT establish the underlying reasons why this has 
happened 


We achieved our audit objectives by: 


e agreeing the principles and benefits of effective risk management 
arrangements with management; 

e meeting with key staff to gain an understanding of the arrangements in 
place, building upon the information we have already gained through 
our audit planning process; 

e reviewing key documents that support the processes in place; and 

e comparing existing arrangements with established best practice and 
other guidance. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 


Information Commissioner's Office IT Asset Management Review 


Additional information 
Client staff 
The following staff were consulted as part of this review: 


e Christopher Goode, Asset and Licence Management Officer 
e Julie Tornetta, IT Service Team Manager 
e Emma Deen, Group Manager, Business Development 


Documents received 


The following documents were received during the course of this audit: 


Asset management register 

Software licence register 

Asset management procedure 

Example IT Asset changes email 
Presentation on secure disposal to ICO staff 
Homeworking kit process 


NnmBWND PR 


Locations 
We visited The Information Commissioner's Office, Wilmslow for 
this review. 


© 2017 Grant Thornton UK LLP. All rights reserved. 


Executive summary 
Detailed Findings 
Appendices 


Information Commissioner's Office IT Asset Management Review 1. Executive summary 
2. Detailed Findings 


Appendices 


Overall assessment and audit issues ratings 


Overall assessment 


Rating Description 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which should be 
raised with Senior Management and the Audit Committee at the earliest opportunity. 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which require the 
attention of management to resolve and report on progress in line with current follow up processes. 


We have identified matters which, if resolved, will help management fulfil their responsibility to maintain a robust system of internal control. 


Audit issue rating 
Within each report, every audit issue is given a rating. 


Rating Description Features 


Key control not designed or operating effectively 

Potential for fraud identified 

Non compliance with key procedures / standards 

Non compliance with regulation 

e Impact is contained within the department and compensating 
controls would detect errors 

e Possibility for fraud exists 

e Control failures identified but not in key controls 

e Non compliance with procedures / standards (but not resulting in key 

control failure) 

Minor control weakness 

Minor non compliance with procedures / standards 

Information for department management 

Control operating but not necessarily in accordance with best 

practice 


Findings that are fundamental to the management of risk in the business 
area, representing a weakness in control that requires the immediate 
attention of management 


Important findings that are to be resolved by line management. 


Findings that identify non-compliance with established procedures. 


Items requiring no action but which may be of interest to management or 
best practice advice 
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